Cloudflare WAF and edge protection (OPS.1)
Place Cloudflare in front of ehxlabs.xyz and docs.ehxlabs.xyz before exposing production to broad traffic.
Prerequisites
- DNS managed in Cloudflare (orange-cloud proxied records).
- Origin: Compose + Caddy on the VM (compose-ehxlabs-xyz.md).
Recommended settings
| Area | Action |
|---|---|
| SSL/TLS | Full (strict) once origin cert is valid |
| Always HTTPS | On |
| Bot Fight Mode | On for marketing; tune if it blocks legitimate API clients |
| WAF | Managed ruleset + OWASP core rules (log first, then block) |
| Rate limiting | Rules on /api/v1/chat/*, /api/v1/auth/*, /api/v1/checkout/* (e.g. 60 req/min per IP) |
Bot fight vs captcha
| Control | When |
|---|---|
| Cloudflare Bot Fight / Super Bot Fight | First line at edge — cheap, no app change |
| Turnstile (app) | Free-tier chat/generate when EHX_TURNSTILE_SECRET + NEXT_PUBLIC_TURNSTILE_SITE_KEY are set |
Use both: edge bot scoring plus Turnstile on high-cost routes.
Headers at origin
Caddy forwards CF-Connecting-IP and CF-IPCountry to the API (see ehx-web/Caddyfile). Admin allowlists use the client IP from these headers when present.
Verification
curl -I https://ehxlabs.xyz—cf-rayheader present.- Trigger a rate-limit rule — expect 429 from Cloudflare before origin load.
- Confirm API still accepts browser calls with cookies from the same site.